WhiteSource Bolt for Github FAQ

TOP FAQs

Get Started

Usage

Troubleshooting

Get Started

What is WhiteSource Bolt for GitHub?

WhiteSource Bolt for GitHub is a FREE app, which continuously scans all your repos, detects vulnerabilities in open source components and provides fixes. It supports both private and public repositories, to make sure nothing puts your product at risk.

We’ve got you covered with over 200 programming languages support and continuous tracking of multiple open source vulnerabilities databases like the NVD and additional security advisories.

How to install?

In order to install the WhiteSource Bolt for GitHub App, just go to the App page and click the ‘Install’ button. If you can’t see the ‘Install’ button, sign in to GitHub.com by clicking on ‘Sign In‘ and enter your credentials. For further instructions, you can find the documentation here.

I'm a WhiteSource customer and I'd like to start using WhiteSource Bolt for GitHub. Is it included in my subscription?

WhiteSource Bolt for GitHub is free of charge but is limited to 5 scans per day per repository. WhiteSource customers can purchase the WhiteSource for Developers bundle, which contains many developer-focused capabilities, GitHub repository integration being one of them. It allows for an unlimited number of scans on any of your repositories. WhiteSource for GitHub.com provides similar functionality to WhiteSource Bolt for GitHub but without any scanning restrictions. In addition, it continuously tracks repositories to identify vulnerable open source components and generates fix pull requests (PR) automatically thus automating the remediation process.

Can I use this App on my GitHub Enterprise account?

A: If you are using GitHub Enterprise Server, you can purchase the WhiteSource for Developers bundle which contains many developer-focused capabilities. The GitHub repository integration being one of them. WhiteSource for GitHub Enterprise is an integrated product within GitHub Enterprise Server that shows a high-level security overview in your GitHub Enterprise repository, detects all open source components and displays all vulnerabilities for these components. It provides you with information on vulnerable and outdated open source components and generates comprehensive up-to-date reports on the GitHub Enterprise issues tab of the scanned repository. In addition, you will be able to view the scanned repositories in the WhiteSource portal. WhiteSource for GitHub Enterprise also automates the remediation process for vulnerable components with WhiteSource Remediate, using fix pull requests.

If you are using GitHub Enterprise Cloud, you can install WhiteSource Bolt for GitHub (limited to 5 scans per day per repository) or you can purchase the WhiteSource for Developers bundle which includes WhiteSource for GitHub.com (unlimited number of scans on any of your repositories).

What is the daily repo scan limit and how is it reached?

Any valid ‘push’ event triggers a new scan. You are limited to 5 ‘push’ actions per repository per day. See here for more information. This limitation is not applicable to WhiteSource paying customers.

How can I complete the App installation?

Once you have selected the GitHub repositories on which to install the App, a WhiteSource registration form will be displayed. Fill in the basic form details and click ‘Submit’. An onboarding pull request will be generated on each of your selected repositories. Once you merge such pull request, WhiteSource will start scanning your repository.

If you are a WhiteSource paying customer, you can purchase the WhiteSource for Developers bundle, which contains many developer-focused capabilities, GitHub repository integration being of them. WhiteSource for GitHub.com provides similar functionality to WhiteSource Bolt for GitHub but without any scanning restrictions. In addition, it continuously tracks repositories to identify vulnerable open source components and generates fix pull requests (PR) automatically thus automating the remediation process.

Usage

What happens after the app is installed?

After the installation is completed, an onboarding Pull Request is generated on each of your selected repositories. Once you merge such pull request, WhiteSource will scan your repositories for vulnerabilities. For each found vulnerability, a new GitHub issue labeled “security vulnerability” is created.
In each of your selected repositories, we will create a new “WhiteSource” file in the root of the repository. This file will be used to apply necessary configurations by WhiteSource.

When is a security scan initiated?

A scan is triggered by a valid GitHub ‘push’ event. A valid ‘push’ event needs to meet one of the requirements defined here.

What types of GitHub repositories are supported?

WhiteSource Bolt for GitHub currently supports public and private repositories on GitHub.com and GitHub Enterprise Cloud. Archived repositories are currently not supported.

What is the daily repo scan limit and how is it reached?

Any valid ‘push’ event triggers a new scan. You are limited to 5 ‘push’ actions per repository per day. See here for more information. This limitation is not applicable to WhiteSource paying customers.

Does WhiteSource Bolt for GitHub scan my repository on every commit?

Yes. WhiteSource Bolt for GitHub scans your repo on every commit and provides a full report with all open source vulnerabilities detected. A GitHub Issue will be created for any of the detected vulnerabilities.

Does WhiteSource Bolt for GitHub support branch protection rules

Yes. You can set up a branch protection rule that prevents pull requests to be merged if one or more vulnerabilities were detected in the repository.

Troubleshooting

GitHub shows the Bolt for GitHub App is installed but I don't see anything, why?

This can happen due to one of the following:

You haven’t completed the installation or verification process.

The ‘Issues’ tab is disabled for your repository. To enable it, go to your GitHub repository ‘Settings’ page and under the ‘Features’ section, select the ‘Issues’ checkbox.

No vulnerabilities were found in the scanned repository.

If you installed the App on a large number of repositories, the scan may still be running.